d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea

Resubmissions

21-01-2021 12:49

210121-vyx2jls6hn 10

21-01-2021 12:43

210121-edx8qfxjt2 10

Analysis

max time kernel
40s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
21-01-2021 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uploads[1].png.0.dr.exe
Size

1.3MB
MD5

b9ab9ac3b5335fdca292acb7ca85eb14
SHA1

26847a08f6e0504aff926b6278b2b8efdc90036a
SHA256

d8773bf354256f487554f23646d4dc38fe4fd54ab4e3936d60e9f507da35feea
SHA512

b0ed0d2a1291dc20a4a8b080c95fcdd34413cce70e95ea554675fb57a327e9b33cb79844278eb3d32398d2d2457e409ca4736ef2c24633ed8306809df7d197b1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Tua.comTua.comTua.com

pid process

1376 Tua.com
748 Tua.com
3940 Tua.com

pid	process
1376	Tua.com
748	Tua.com
3940	Tua.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uploads[1].png.0.dr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	uploads[1].png.0.dr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	uploads[1].png.0.dr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tua.com

description pid process target process

PID 748 set thread context of 3940 748 Tua.com Tua.com
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2868 PING.EXE

description	pid	process	target process
PID 748 set thread context of 3940	748	Tua.com	Tua.com

pid	process
2868	PING.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

uploads[1].png.0.dr.execmd.execmd.exeTua.comTua.com

description	pid	process	target process
PID 644 wrote to memory of 3356	644	uploads[1].png.0.dr.exe	cmd.exe
PID 644 wrote to memory of 3356	644	uploads[1].png.0.dr.exe	cmd.exe
PID 644 wrote to memory of 3356	644	uploads[1].png.0.dr.exe	cmd.exe
PID 644 wrote to memory of 3712	644	uploads[1].png.0.dr.exe	cmd.exe
PID 644 wrote to memory of 3712	644	uploads[1].png.0.dr.exe	cmd.exe
PID 644 wrote to memory of 3712	644	uploads[1].png.0.dr.exe	cmd.exe
PID 3712 wrote to memory of 2924	3712	cmd.exe	certutil.exe
PID 3712 wrote to memory of 2924	3712	cmd.exe	certutil.exe
PID 3712 wrote to memory of 2924	3712	cmd.exe	certutil.exe
PID 3712 wrote to memory of 192	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 192	3712	cmd.exe	cmd.exe
PID 3712 wrote to memory of 192	3712	cmd.exe	cmd.exe
PID 192 wrote to memory of 4016	192	cmd.exe	findstr.exe
PID 192 wrote to memory of 4016	192	cmd.exe	findstr.exe
PID 192 wrote to memory of 4016	192	cmd.exe	findstr.exe
PID 192 wrote to memory of 2312	192	cmd.exe	certutil.exe
PID 192 wrote to memory of 2312	192	cmd.exe	certutil.exe
PID 192 wrote to memory of 2312	192	cmd.exe	certutil.exe
PID 192 wrote to memory of 1376	192	cmd.exe	Tua.com
PID 192 wrote to memory of 1376	192	cmd.exe	Tua.com
PID 192 wrote to memory of 1376	192	cmd.exe	Tua.com
PID 192 wrote to memory of 2868	192	cmd.exe	PING.EXE
PID 192 wrote to memory of 2868	192	cmd.exe	PING.EXE
PID 192 wrote to memory of 2868	192	cmd.exe	PING.EXE
PID 1376 wrote to memory of 748	1376	Tua.com	Tua.com
PID 1376 wrote to memory of 748	1376	Tua.com	Tua.com
PID 1376 wrote to memory of 748	1376	Tua.com	Tua.com
PID 748 wrote to memory of 3940	748	Tua.com	Tua.com
PID 748 wrote to memory of 3940	748	Tua.com	Tua.com
PID 748 wrote to memory of 3940	748	Tua.com	Tua.com

C:\Users\Admin\AppData\Local\Temp\uploads[1].png.0.dr.exe
"C:\Users\Admin\AppData\Local\Temp\uploads[1].png.0.dr.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
cmd /c fhlfszSNj
2⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Brucia.xls Suo.dot & cmd < Suo.dot
2⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\certutil.exe
certutil -decode Brucia.xls Suo.dot
3⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^lJeUmwiXzEXbPwzCIHvkQFe$" Estremita.adt
4⤵
PID:4016

C:\Windows\SysWOW64\certutil.exe
certutil -decode Ore.ini Z
4⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
Tua.com Z
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com Z
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
6⤵
- Executes dropped EXE
PID:3940

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Appare.sys
MD5
f24168a8978d6f37d25752f05efdf8c2

SHA1
f0680ec42311212cef68370a83f4d62c7966099e

SHA256
08459331eceb39b60a5b166ee3322767c157292dc108df54933227c6bd500b28

SHA512
1d95ceeb4f861eb36b23145dc39db42bd8960f721dc6632428e2243446c1e7b02a39488c30ecaf28757b857ef78cf842ec99e11fa00380b766126fdf6134c724

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Brucia.xls
MD5
82d90d91a120a19919dbc524880a2eae

SHA1
b86fb4b724d11d5c412e04251e0cd830755ef007

SHA256
875a4cdc9fbd55810dd252f8e35512fffb892a79e517411d1fcbd917685efc8a

SHA512
1dba871074f97c68fe0c49bab166f801bcfad153be12e346f9baf39b9b1642d2db4b6255da5153ebf2994ba4c7d722011b98c4b053ece8313102995fa4e16440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Estremita.adt
MD5
8253b4f0646e3c127d146110f889215e

SHA1
64a92b27c3762f2b0bc6af67c1de6e006c1b820d

SHA256
08607493aab770b45ffdb7ffe5c1f3a5e5fdba0b55d03251f7117ee10f4d67ad

SHA512
b6013ef36f296c50ab1a1b15b27fc8b5ba840d66279fcf5eab396c1fc5058760c6f08626a1119790bccd794fad1e2eb7cb764245408ade1838926a0e4e3d5f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.ini
MD5
6c2dfee26bbca7045c465d9c0414b652

SHA1
58ed46c2dc00097521d0db0819541d9e4909deb8

SHA256
eeb47e521e0facfb217aef0e9c1cb57e147340b8e1c3d8e4acdff3e04dad2eef

SHA512
8ddc4974e35b2fdf35556b28e4c49f3290308f537ce0f50ee6ddcd466abc8a1908c28905ac07a721f0b75f514a1b503c4464267e7bc51107a459f46c4ee93ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suo.dot
MD5
9d88809cceb6dab6ed296d8bef0dc0d5

SHA1
a31e613888ca0cb3fd77d208c8621c05d2828ab9

SHA256
74e36bf70290030e791e981aca49b1cc3e4e96aa12949add2d254cad3a095d37

SHA512
84efe76ccc711af625a5f6a8fd3fb92dffda62b554f44df9ff9b65152a461f1c54659dca68debef324512d97d32b677e3fe6b6210f4bbec25a1cec02c657ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tua.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z
MD5
89fbfd3b8f82003de0ced3fd68406bdd

SHA1
57b2cc29133732e93ed2cf3853476dfecc8d007c

SHA256
f091e7d727e58c93bdb06ffceca3ee720a29768ff9b175c35a978f68777d5388

SHA512
8aa61d225a338733fa81f7abd5c288ff14a02669393c8a2f369712da614ff582d4144c6920bb36b13a64de583918f7c5524f8f2d738291dcf1ca8c43df98beb3

Download Submit
memory/192-7-0x0000000000000000-mapping.dmp

Download
memory/748-16-0x0000000000000000-mapping.dmp

Download
memory/748-21-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1376-12-0x0000000000000000-mapping.dmp

Download
memory/2312-10-0x0000000000000000-mapping.dmp

Download
memory/2868-14-0x0000000000000000-mapping.dmp

Download
memory/2924-4-0x0000000000000000-mapping.dmp

Download
memory/3356-2-0x0000000000000000-mapping.dmp

Download
memory/3712-3-0x0000000000000000-mapping.dmp

Download
memory/4016-8-0x0000000000000000-mapping.dmp

Download